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1 Introduction 

Given a prime power q and a positive integer N, it is natural to wonder how likely it is for 
a randomly chosen elliptic curve over F q to have iV dividing the number of its F g -defined 
points. The purpose of this paper is to make sense of this question and to provide an estimate 
for its answer. 

Since F 9 -isomorphic curves have the same number of Fj-defined points, we will only be 
interested in Fq-isomorphism classes of elliptic curves over F q . In particular, we will look at 
the set 

V(F q ,N) = {E/F g : N\#E(F q )} / = Fq ; 

we want to know how large this set is, compared to the set of all Fj-isomorphism classes of 
elliptic curves over F q . However, it will be easiest to estimate not the usual cardinality of 
V(F q ; N) but rather the weighted cardinality of V^(F g ; N), where the weighted cardinality of 
a set S of Fj-isomorphism classes of elliptic curves over F q is defined to be 

#'S= V - 

^#Aut*(JE0' 

where [E] denotes the F g -isomorphism class of the elliptic curve E. Often, formulas for 
weighted cardinalities of such sets S work out better than formulas for the usual cardinalities; 
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for instance, we will see in Corollary [2.2| that 

#'{E : E is an elliptic curve over F 9 =p q — q, (1) 

whereas the corresponding formula for the ordinary cardinality depends on the value of 
q mod 12. In any case, since Autp 9 (£') = {±1} except possibly when j(E) is or 1728 (see 
H, section III. 10), the weighted cardinality of such a set S is generally about half of its usual 
cardinality. 

In view of ([!]), we will interpret the ratio #'V(F q ; N)/q as the probability that a random 
elliptic curve over F q has N dividing the number of its F^-defmed points. The following 
theorem gives an estimate of this ratio. 

Theorem 1.1 There is a constant C < 1/12 + 5-^/2/6 ~ 1.262 such that the following 
statement is true: Given a prime power q, let r be the multiplicative arithmetic function 
such that for all primes I and positive integers a 
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t a - x {i- 1) 
£b +i +i b_ x 
{ l a + b -\Z 2 - 1) 



if q ^ 1 mod 



if q = 1 mod 



where b = \_a/2\, the greatest integer less than or equal to a/2, and c = [a/2], the least 
integer greater than or equal to a/2. Then for all positive integers N we have 



CNp(N)2"W 

where p{N) = n p ijv((P + l)/(p — 1)) an d U {N) denotes the number of prime divisors of N. 

It is interesting to note that r(N) is greater than 1/N and for many values of N is not 
much less than l/ip(N). Thus, loosely speaking, when q is large with respect to N it is more 
likely that a random elliptic curve over F q has N dividing its number of points than it is 
that a random integer is divisible by N. 

H.W. Lenstra, Jr. has proven the inequality (0) in the special case when N and q are 
distinct primes with q > 3 (see 0, Proposition 1.14, page 660). Lenstra's proof depends on 
properties of modular curves over F p ; in particular, he uses the modular curves X(£) and 
Xx(£), for primes i ^ p. My extension of Lenstra's proposition is obtained by extending his 
proof, and accordingly my proof will require the study of modular curves which I will denote 
X g (m,n). 



2 



In section 0, I briefly prove some results about forms that will be needed in sections |^ 
and |j. In section ^, I define the curves X q (m, n) as quotients of more familiar modular curves, 
give a modular interpretation of their F g -defined points, and use Weil's estimate to approx- 
imate the number of their F^-defined points. Finally, in section |4| I use the interpretation 
and bounds of section ||| for a number of curves to prove Theorem 

Notation: Throughout this paper, if C is a curve over a field K, and if L is an extension 
field of K, we will denote by Cl the L-scheme C Xs pec (K) Spec(L). Similarly, if P is a K- 
defined point on such a curve C, we will denote by Pl the point on Cl obtained from P 
by base extension. If E is an elliptic curve over K with zero point O, then the curve El 
has a unique structure of an elliptic curve over L with zero point Ol] when we mention the 
curve El, we will be referring to it as an elliptic curve, unless we explicitly state otherwise. 
The letters p and I are reserved for prime numbers. For real numbers x, we will denote by 
the greatest integer less than or equal to x and by \x] the least integer greater than or 
equal to x. Also, we will make use of five arithmetic functions: the Mobius function [i; the 
function v such that v{n) is the number of prime divisors of n; the Euler totient function ip, 
defined by <p(n) = nY[ p \ n (^ ~ 1 /p); the function ip defined by if)(n) = nY[ p \ n (l + 1/p); and 
the function p defined by p(n) = Y[ P \n(ip + l)/(p — -*■))• 

2 Forms 

Definition: Let E be an elliptic curve over a field K, and let L be an extension field of 
K. An elliptic curve E' over K is called an L/K-form of E (or simply a form of E, if L and 
K are clear from context) if El and E' L are isomorphic over L. We denote by E(L/K; E) or 
simply E(E) the set of forms of E, up to i^-isomorphism: 

E(L/K; E) = [E'/K : E' L = E L ) /= K ; 

and we denote by [E']k or simply \E'] the i^-isomorphism class of E' . Suppose we are 
also given points P,Q G E(K). A triple (E',P',Q f ), where E' is an elliptic curve over K 
and P' and Q' are points of E'(K), is called an L/K-form of (E,P,Q) if there is an L- 
isomorphism from El to E' L that takes Pl to P' L and Ql to Q' L . We denote by E(E, P, Q) = 
E(L/K] E, P,Q) the set of L/K-iorms of (E,P,Q), up to i^-isomorphism, and we denote 
by [E', P', Q']k the i^-isomorphism class of the triple (E', P', Q'). 

Suppose L is a finite or infinite Galois extension of K with topological Galois group 
G, and suppose E is an elliptic curve over K. Let A be the finite group Aut^(^i) of all 
L-automorphisms of E L , and let B be the group of all commutative diagrams 
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Hi J, "Hit 



Spec(L) — - — » Spec(L) 



where a is an automorphism of El as a .fT-scheme that fixes the zero point of El, and where 
for any element a of G we denote by a the scheme automorphism of Spec(L) obtained from 
the field automorphism a -1 of L. There is clearly an exact sequence of groups 

1 — > A — >B^G — >1 (3) 

where ir is the projection map taking an element (at, a) of B to the element a of G. The 
sequence (§) has a canonical splitting G — > B defined by sending a G G to the element 
(1 x a, cf) of B, where 1 x a is the i^-scheme automorphism of El = E Xspec(K) Spec(L) 
obtained by fixing E and applying a to Spec(L). As a set, B is the product of A and G; 
if we give A the discrete topology and B the product topology, the sequence (|J) is even an 
exact sequence of topological groups. 

From || (see in particular section III. 1.3), we know that E(L/K; E) is isomorphic (as a 
set with a distinguished element) to the cohomology set H 1 (G, A), where the cohomology is 
in the sense of section 1.5 of || (see also 0, sections X.2 and X.5). A cocycle, in this sense, 
corresponds to a continuous homomorphism s : G — > B splitting the exact sequence (|3]); 
such a section gives an action of G on El, and this defines by Galois descent an elliptic 
curve E(s)/K and an isomorphism f s : El — > E(s)l, unique up to Aut K (E(s)) — see 



or section V.20 of 0] for the case of finite extensions L/K, and compare problem II. 4. 7 
(page 106) of 0. The group A acts on the set S of sections by conjugation, and two cocycles 
are cohomologous if and only if their associated sections lie in the same A-orbit of S. Also, 
the stabilizer of a section s is isomorphic to the group of i^-automorphisms of the associated 
form E(s). Thus the orbit-decomposition formula (||, page 23) gives 

£ MAt A (F') =# S - (4) 
[E')eE(E) #Aut^O ) 

Proposition 2.1 Let E be an elliptic curve over a finite field F q . Then 
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PROOF: In the discussion above, take K = F q and L = F q . Since Gal(F g /F g ) = Z, the 
exact sequence (0) becomes 

1 — > A — ► B^Z — > 1. 

Since Z is freely generated as a profinite group by 1, a section s : Z — > 5 is determined by 
and every element of 7r -1 (l) gives rise to a section. Thus, #5 = #7r~ 1 (l) = #v4, and 
dividing equation (f|) by the finite number j^A yields (||). □ 

Corollary 2.2 For every prime power q, 

i^'^E : E is an elliptic curve over F g =p 9 = q. 

Proof: Let T be the set of elliptic curves over F q up to F^-isomorphism and let U be the 
set of elliptic curves over F q up to F^-isomorphism. We know that the j-invariant provides 
a bijection between T and F q , so #T = q. Also, U = Ulei- erE(-E), so that 

J F,j 



as claimed. □ 



There is a result analogous to Proposition |2.1| for the forms of a triple (E, P, Q). 



Proposition 2.3 Let E be an elliptic curve over a finite field F q , and let P, Q e E(F q ). 

Then 

where Aut-F q (E' , P' , Q') denotes the subgroup of Aut-p q (E') consisting of those automorphisms 
that fix P' and Q' . 



PROOF: This result follows from making the obvious changes in the proof of Proposition |2J 



and the discussion preceding it. □ 

Notation: Suppose L is a Galois extension of a field K, E is an elliptic curve over K, 
and F is an L/K-form of E. Given an isomorphism / : El — > Fl and an element a of 
G&1(L/K), let J " be the isomorphism (1 x a) o f o (1 x a) -1 : -Ex ~~ ► Fl (here one of the 
1 x a's is a i^-scheme automorphism of El, and the other is a i^-scheme automorphism of 
Fl)- If / is defined locally by polynomials with coefficients in L, then f a is defined by the 
same polynomials with a applied to the coefficients. 
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Proposition 2.4 Let E be an elliptic curve over a finite field F q , and let a be an automor- 
phism of -Ep . Then there is an F q /F q -form F of E and an isomorphism f : E^ — > i*p- such 
that a = f^ 1 o f cr ! where a is the q-th power automorphism ofF q . 

PROOF: With notation as above, let s : G —>■ B be the section defined by sending a to 
(a o (1 x a), a) and let F = E(s) and / = f s . It is not difficult to check that a = f^ 1 o f a . 

□ 

3 Modular curves over finite fields 

As indicated in the Introduction, in section ^ we will need to use bounds obtained from 
modular curves other than the "standard" modular curves X(i) and X\(l). In this section 
we define the curves we will need, and prove some basic results about them. 

First, we recall some facts about Frobenius morphisms of schemes and elliptic curves (see 
the discussion in [|J, chapter 12). For any scheme S over F p , we define the (p r -th power) 
absolute Frobenius morphism -F p r abs : S —>■ S to be the morphism corresponding to the 
endomorphism x i— > x pT of affine rings. If S is a scheme over a field K of characteristic p > 0, 
we denote by ' the scheme over K defined by the cartesian diagram 

s <jn » s 

Spec(K) Fpr ' abs >Spec{K) 

so that if S is defined locally by polynomials fi e K[xi, . . . ,x n ) then is defined locally 
by the polynomials f!> p ' obtained from the fi by raising all the coefficients to the p r -th 
power. 

In view of the cartesian property of the above diagram, the p r -th power absolute Frobenius 
on S factors through S^ p ^; that is, there is a morphism F pr = F p r jS / K : S — > of K- 

schemes, called the (p r -th power relative-to-K ) Frobenius, such that F p r composed with the 
map from S^) to S is the morphism -F p r abs on S. If S is affine and defined by polynomials 
fi as above, then F p v takes a point P = (a 1; . . . , a n ) on S to the point p( pr ) = [a\ , . . . , a^) 
on S^ pr \ In the special case where S is an elliptic curve E over K, there is a natural elliptic 
curve structure on E^ pr \ and the Frobenius F p r is actually an isogeny. The dual isogeny 
of F pr (see 0, section III. 6) is the Verschiebung V p r : E^ — > E, and the composed map 
V p r o F p r : E — > E is the multiplication-by-p r map on E. 



6 



We also recall that an elliptic curve E over a field K of characteristic p > is called 
super singular \i E has no Lf-defined points of order p (see 0, section V.3). This is equivalent 
to the condition that for some r > the only K- valued point in the kernel of the Verschiebung 
V p r is the zero point (which implies the same statement for all r > 0). 

The following notation will be useful in this section and the next. 
Notation: Suppose p is a prime number and m and n are positive integers with m\n and 
m coprime to p, and write n = n'p r with n' coprime to p. If K is a field of characteristic p 
containing a primitive m-th root of unity C, m and L is an extension field of K, we denote by 
Z(L/K; ( m , m, n) the set of L-isomorphism classes 

Z(L/K; ( m , m, n) = j(L7, P, Q, R) : E is an elliptic curve over K, P,Q G E(K) with 

ordP = m and oi&Q = n' and e m (P, (n'/m)Q) = ( m , 
and R G E^ pr \K) such that R^ generates the kernel of 
the Verschiebung V p r : E^ ] -> £ F } / = L 

where ordP is the order of P in the group E(K) and e m is the Weil pairing on E[m] (see 
|J, section III. 8), and where two such quadruples (E,P,Q,R) and (E' , P' , Q' , R') are said 
to be L-isomorphic if there is a L-isomorphism / : El — > E' L such that / takes Pl to P' L and 

to Q' L and such that takes i?£ to i?^. Denote by [E, P, Q, R]i the L-isomorphism 
class of the quadruple (E, P, Q, R). 

Also, we denote by Y(L/K; ( m ,m,n) the set of L-isomorphism classes 

Y(L/K; ( m , m, n) = |(L, P,Q) : E is an elliptic curve over K, P,Q G E(K) with 

ord P = m and ord Q = n and 
e m (P,(n/m)Q) = C m ) / =l 

where two such triples (E, P, Q) and (E', P', Q') are said to be L-isomorphic if there is an 
L-isomorphism / : E^ — > L^ that takes Pl to P£ and Ql to Q^. Denote by [E,P,Q]l the 
L-isomorphism class of the triple (E, P, Q) . 

Proposition 3.1 Let q = p e be a prime power, suppose m and n are positive integers such 
that m | gcd(n, q — 1), write n = n'p r with n' coprime to p, and pick a primitive m-th root of 
unity ( m G F q . There exists a proper nonsingular irreducible curve X(m, n) over F q provided 
with a map J : X(m,n) P|; D = Spec(F g [j]) with the following properties: 

1. There is a natural bisection between the set of finite points of X(m,n) (that is, the 
points in J' 1 (A 1 )) and the set Z(F q /F q ] ( m ,m,n). 

2. The bisection given in [7] has the property that if x G X(m, n) corresponds to [E, P, Q, R]j? 
then J(x) = j{E), the j -invariant of E. 
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3. X(m,n) can be defined naturally over F q ; that is, there is a proper nonsingular irre- 
ducible curve X q (m,n) overF q and an isomorphism 

X(m, n) = X g (m, n) x Spec(F9) Spec(F 9 ) (6) 

such that the q-th power relative-to-F q Frobenius map F : X(m, n) — > X{m, n) obtained 
from the isomorphism ffl) and the canonical identification 

X q (m,n) x Sp cc(F,) Spec(F 9 )) = (X q (m,n) x Spoc(F9) Spec(F g ) X</ 



has the property that if the point x G X(m, n) corresponds to [E, P, Q, R\p , then F(x) 
corresponds to [E^ q \ P®, Q<*\ R®]^. 

PROOF: We will rely heavily on results from 0]. 
First consider the case where n' > 2. 

Pick a primitive n'-th root of unity ( n > G F q such that ( m = Cn 1 ^™ ■> ^ X(n',n) be the 
F g -scheme denoted in [|] by A^([r(ra')] can , [Ig(p r )]) (in [|], see sections 4.3 and 8.6 for the 
definition of M.(-), sections 3.1 and 9.1 for the definition of [r(n')] can , and section 12.3 for 
the definition of [Ig(p r )]), and let J' : X{n\n) — > D = Spec(Fjj]) be the natural 
map from X(n', n) to the "j-line" P^ defined in section 8.2 of By their very definitions, 
X(n', n) and J' satisfy statements [l] and |2| of the proposition (with m replaced by n' and J 
replaced by J'), and from Corollary 12.7.2 (page 368) of [|J, whose hypotheses are satisfied 
when n' > 2, we see that X(n',n) is a proper nonsingular irreducible curve. From chapter 7 
of ||, we know the group 

G = ( SL 2 (Z/n'Z) x (Z/fZy) I ± 1 



(where the group {±1} is embedded diagonally in the product) acts on the covering X(n', n) 
of P 1 ; the action is such that an element 

<(: !)■• 

of G takes the point corresponding to the class [E, P, Q, R]^ G Z(F q /F q ; n', n) to the point 
corresponding to the class [E,aP + cQ,bP + dQ,uR]^. In fact, from Corollaries 10.13.12 
(page 336) and 12.9.4 (page 381) of we see that the degree of X(n', n) over P 1 is equal 
to #G; since G acts faithfully on X(n',n), this shows that X(n',n) is a Galois covering of 
P 1 with group G. 

Define a subgroup H of G by 

H = <! ± ( ( 1 ? ] , 1 ) G G : a = mod m 
a 1 
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and define X(m,n) to be the quotient of X(n',n) by the group H. Let J : X(m,n) — *> P 1 
be the map induced from J'. 

Now, a finite point on X{m, n) corresponds to an if-orbit of the finite points on X(n', n); 
thus, the finite points on X(m,n) correspond to the F g -isomorphism classes of sets of the 
form 

{{E,P + aQ, Q, R) : a = mod m}, 

where [E, P,Q, R]^ G Z(F q /F q ; n' ,n) and where two such sets {(E, P + aQ, Q, R)} and 
{(E', P' + aQ' , Q', R')} are F g -isomorphic if there is an isomorphism / : E — > E' such that / 
maps Q to Q' and the set {P + aQ} to {P' + aQ'} and such that f^' maps R to i?'. But 
there is a natural bijection between the set of all such F^-isomorphism classes and the set 
Z(F q /F q ; m, n) given by sending the class of {(E, P + aQ, Q, R)} to the class [E, ^P, Q, R]^ . 
Thus, X(m,n) satisfies the property given in statement |TJ of the proposition. 

That J satisfies the property given in statement is a consequence of the fact that J' 
satisfies the corresponding property and of the construction just given. 

Finally, that X(m, n) may be defined over F q in the manner described in statement § fol- 
lows from general principles given in j|] (see in particular the discussion in section 12.10) and 
from the fact that the correspondence in statement |l| refers only to structures (in particular, 
the element ( m ) that are defined over F q . 

This completes the proof for the case where n' > 2. Now suppose n' < 2. The problem 
with proceeding exactly as before is that the results in that we used in the case n' > 2 
(in particular, Corollaries 12.7.2, 10.13.12 and 12.9.4) don't apply when n' < 2, because, in 
the language of 0, [r(ra')] cai1 is not representable when n' < 2. Thus, we have to make some 
very minor modifications to our previous argument, although the general idea is exactly the 
same. 

If n! = 2 let / = 2; if n' — 1 and p ^ 3 let / = 3; if n' — 1 and p — 3 let / = 4. Consider 
the curve X(fn', fn), which, as before, is a Galois covering of P 1 with Galois group 

G = (SL 2 (Z//n'Z) x {Z/fZy) / ± 1, 

and which has an interpretation as in statement 0. Now let H be the subgroup 

H = j± ^ a ^\ ,l \ G G : a = d = 1 mod n', b = mod n' , and c = mod ml , 

and let X{m,n) be the quotient of X(fn', fn) by H. The proof follows exactly as before. 
Thus, the proposition is valid for all values of n' . □ 

There are two special kinds of points on the curves X(m,n) that we will need to keep 
track of. 
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Definition: Let q, m, n, X(m, n), and J be as in Proposition |3.1| . A point x G X(m, n) is 



a cusp if x is an element of J~ 1 (oo). A point of X(m, n) which is not a cusp is called a finite 
point. A finite point of X(m,n) is a supersingular point if it corresponds to an equivalence 
class [E, P, Q, with a supersingular E. 

Notation: We denote by g q (m,n) the genus of X(m,n), by c g (m, n) the number of cusps 
of X(m,n), and by s q (m,n) the number of supersingular points of X(m,n). 



Proposition 3.2 For all q = p e , m, and n = np r as in Proposition \3. i| we have 



9q{m,n) < —m<f{n)i){n) (7) 



c q (m,n) < ip(n)ijj(n) (8) 
and when p\n (that is, when r > 0) we have 

s q (m,n) < -m(p(n)ip(n). (9) 
3 

PROOF: As in the preceding proof, we first assume that n' > 2. 

Let the groups G and H be as in the proof of Proposition |3.1|, so that X(m, n) is the quo- 
tient of X(n',n) by H. From Corollary 10.13.12 (page 336) and Corollary 12.9.4 (page 381) 
of we find that 

1 H (n — 6)(p(n)tp(n) if n' = n; 

</,(»'.») H i , ( 10 ) 

1 + —{n — I2)(p(n)vfj(n') if n' < n 
48 

c q {n',n) = -ip(n)ij)(n') 
p — 1 

s q (n,n) = -— n<p(n')il>(n). (11) 

Since #H = n'/m, the Riemann-Hurwitz formula (|§, Theorem 5.9, page 41) gives us the 
estimate 



(m, n) < 



1 Tlh 

1 + — — (n — 6)(p(n)ip(n) if n' = n; 

1 77! 

1 + ^~(^ — i-2)<p(n)ip(n') if 77' < 77, 



which leads to (0). 

We also have the trivial bound 



(m,n) < c q (n',n) = -ip(n)ip(n') < -ip{n)ijj{n), 
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which certainly implies (H). 

To get a good bound for s q (m,n), we need to determine necessary conditions for an 
element of if to fix a finite point of X(n',n). So suppose a; is a finite point of X(n',n), 
corresponding to the class [E, P, Q, i?]jt ; for a non-trivial element of H to fix x, we must 
have [E, P, Q, R]^ = [E, P + aQ, Q, R]p for some a with a = mod m and a ^ mod n', so 
there must be an automorphism a of E that fixes Q and sends P to P + aQ. Thus a^il, 
and from Corollary 2.7.1 (page 85) of |3| we see that a satisfies a 2 — tat + 1 = for some 
integer t with \t\ < 1. In particular, this means that (2 — t)Q = 0, which is impossible if 
n' > 3. Thus, if n' > 3 no non-trivial element of H fixes any finite point of X(n', n), so every 
finite point of X(m, n) has #H points of X(n', n) lying over it; this gives us 

s q (m,n) = —s q (n',n) = ?——m(p(n')'4)(n'). 
n 24 

When n' = 3, we at least have the bound 

s q (m,n) < s q (n',n) < — - — m(p(n')i/j(n'), 

8 

so that in any case if p\n we have 

s q (m,n) < —rmp(n)ip(n). 

This gives us (H). 

Thus, when n' > 2, the inequalities of the proposition hold. 

When n' < 2, let /, G, and if be as in the case n' < 2 of the proof of Proposition |3.1|, 



so that X(m, n) is the quotient of X(fn', fn) by H. Once again, one can check that equa- 
tion ( |T0D and the Riemann-Hurwitz formula lead to (0). 

To prove (H), we note that it is possible to define X(m, n') as the quotient of X(fn', fn) 
by the subgroup of G generated by H and the image of (Z/p r Z)* in G; this gives us a map 
from X(m,n) to X(m,n') consistent with the maps from these curves to P 1 and of degree 
at most <f{p r ), so that c q (m,n) < ip(p r )c q (m,n'). From this inequality we see that it suffices 
to prove d||) when n = n', that is, when r = 0. But from statement 1 of Theorem 10.9.1 
(page 301) of (§] we can calculate that c 9 (2, 2) = 3, c g (l,2) = 2, and c q (l, 1) = 1, so 
inequality @ does hold when r = 0. 

Finally, suppose p\n. Using the trivial bound s q (m,n) < s q (fn',fn) and equation (|PID , 



we see that 



s q {m,n) < 1 ?-—fn'<p(fn')'il){fn') 



it is easy to check that this inequality implies (0), except when n = p = 3. But in this case we 
notice that G = H, so that X(l, 3) = P 1 has exactly one supersingular point (corresponding 
to the elliptic curve with j-invariant 0), and we can verify ([|) directly. 
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Thus, inequalities (|7|), (^j, and (g) hold in every case. □ 

Remark: From equation fllOl) we see that 1/24 is the smallest possible constant in inequal- 
ity (^). The facts that c q (l, 1) = 1 and S2(l, 2) = 1 show that equality is sometimes obtained 
in inequalities @ and (|[). 

We now focus on the curves X q (m,n). In particular, we may ask whether there is a 
modular interpretation for the Fg-defined points of X q {m, n). The answer is "yes". 

Proposition 3.3 Let q, m, n = n'p r , ( m , and X q (m, n) be as in Proposition \3.ij . There is a 
bijection between the set of finite points ofX q (m, n)(F q ) (that is, the finite points of X q (m, n) 
that are defined over F q ) and the set Z(F q /F q ; ( m ,m,n). 

PROOF: Let F : X(m, n) — > X(m, n) be the g-th power relative-to-F g Frobenius map, as in 
statement [3] of Proposition |3.1| . Then there is a bijection between X q (m, n)(F q ) and the set 
of points of X(m, n) fixed by F, given by x i— ► x^ q - Again by statement || of Proposition 3.1 , 
we know that the finite points of this last set correspond to the elements of the set 

S = {[E, P, Q, R} ¥q e Z(F q /F q , Cn, m, n) : [E, P, Q, R] ¥q = [E^\ P« Q (q \ R^\). 

Thus, we need only show that there is a bijection between the sets S and Z(F q /F q ; £ m , m, n). 

There is clearly an injective map from Z(F q /F q ; ( m , m, n) to S defined by sending [E, P, Q, R]^ 
to [Eg , Pp ? , Qp 9 , ]p • We nee d only show that this map is surjective. 

Suppose [E, P, Q, R)f is an element of S, and let / : E — > PW be an isomorphism that 
takes the quadruple (E,P,Q,R) to the quadruple {E® , ,Q®, R®). Since E = ¥q P (g) , 
we have j(E) = j(E^) = (j(P)) 9 , so j(E) £ F q . Let E' be any elliptic curve over F g 
with j(E') = j{E); since elliptic curves over F q are classified up to F^-isomorphism by their 
j-invariants, there is an isomorphism g : E —>■ EL . By Proposition [2.4| , there is a form F of 
E' and an isomorphism h : EL — > P^ such that 

go f- 1 o(^))-i = h -i / i (g) ) 

and by replacing E' with F and g with hog, we may assume that g( q > o f o g^ 1 is the identity 
on EL. 

Now consider the point g(P) G EL (F q ). We have 

g(P) = (gMofog- l )(g(P)) = gM(f(P)) = gM(pM) = (g(P))^, 

so g(P) is an F^-defined point of EL ; that is, there is a point P' G E'(F q ) such that 
g(P) = PL. Similarly, we see that g(Q) and g( pr \R) come from points Q' G E'(F q ) and 
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E! E E ,( P r \F q ), so that [E\ P', Q', R% q is an element of Z(F q /F q ; ( m , m, n) that maps to the 
element [E, P, Q, R]j? of S. Thus, the natural map from Z(F q /F q ; ( m , m, n) to S is bijective, 
and the proposition is proven. □ 

Remark: More generally, if K is any field containing F q and K is the algebraic closure of 
K, we know from Lemma 8.1.3.1 (page 225) of Q that there is a bijection between the set 
of finite iCvalued points of X q (m,n) and ZiK / K; ( m ,m,n), and we may ask whether the 
finite -fT-valued points of X q (m,n) correspond to the elements of Z(K/K;( m ,m,n). The 
proof of Proposition 3.2 (page 274) of || provides an answer: The obstruction to a fC valued 
point giving rise to a quadruple (E, P, Q, R) defined over K lies in a certain H 2 , and it is 
shown in the proof of Proposition 3.2 of f|| that this obstruction is zero. In the special case 
K = F q we consider above, the argument simplifies, because in this case the whole if 2 where 
the obstruction lives is trivial. One can use this argument to provide a more conceptual 



proof of Proposition 3.3. The interested reader should consult 



Corollary 3.4 There is a constant C < 1/12 + 5\^2/6 fa 1.262 such that for all q, m, and 



n = n'p r as in Proposition 3.1 the following statements are true: 



1. If n' = n, then there is a bijection between the set Y(F q /F q ]( m ,m,n) and the set of 
finite points of X q (m,n)(F q ). 

2. If n' < n, then there is a bijection between the set Y(F q /F q ; ( m , m, n) and the set of 
finite non- super singular points of X q (m,n)(F q ) . 

3. We have the estimate 

#Y(F q /F q , Cm, m, n)-q\< C'm V {n)^{n)^. (12) 

PROOF: If n' — n then there is a bijection between the sets Y (F q /F q ; ( m , m, n) and 
Z(F q /F qi ( m , m, n), given by mapping [E, P, Q]p to [E, P, Q, 0]p , where O is the zero ele- 
ment of E = E^ (which generates the kernel of the Verschiebung Vi, the identity map). 
Thus, statement |I| follows immediately from Proposition |3~3 . 
If n' < n, let 

Z'(F q /F q ; Cm, m, n) = {[E, P, Q, R]^ G Z(F q /F q ; Cm, m,n) : E is not supersingular j . 

Let M be the map from Y(F q /F q ; Cm, m, n ) to Z(F q /F q ; Cm, m, n ) that sends [E, P, Q]j? to 
[E,P,p r Q, (n'Q)^} Wg . The image of M lies in Z'(F q /F q ; Cm, m, n), because if Q e E(F g ) 
has order n then n'Q has order p r ^ 1, so that E is not supersingular. Choose integers a 
and b such that ap r + bn' = 1; then the inverse of M is the map from Z'(F q /F q ; Cm, m, n) to 
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Y(F q /F q ; ( m , m, n) that sends [E, P, Q, i2]p to [E, P, (aQ + bR')]^ , where R' is the element of 
E(F q ) such that (R')^) = R — this element exists and is unique because F q is perfect. Thus 
M is a bijection between Y(F q /F q ; ( m , m, n) and Z'(F q /F q ;( m ,m,n), so that statement |^ 
follows from Proposition |3.3| . 

To prove statement |3| we will need to use the Weil conjectures for curves (see [11] or |l|]); 
in particular, we will need the inequality (pl|, Corollaire 3, page 70) 



#X q (m,n)(F q ) - 1 -q < 2g q (m,n)^. (13) 
First suppose that n' = n. Then statement [l], combined with the inequalities (0), 



and (0), gives us 



#Y(F q /F q ; ( m ,m,n)-q < 1 + ip{n)ij)in) + —m(p(n)i/)(n)^/q. 

On the other hand, if n' < n, then statement ||, combined with the inequalities (]7|), (|]), 
and (0), gives us 

#F(F 9 /F 9 ; Cm, m, n) - q\ < 1 + (p(n)il)(n) + -7rup(n)i>(n) + ^-m^n)?/^)^. 

Thus, statement ^ will hold if we choose C so that for all q, m, and n we have 

1 



c> 



1 1 1 

+ = + t; ~ + 



mip{n)'ip{n)^/q m^Jq 3^fq 12 



However, since #Y(F q /F q ; 1, 1,1) = q (as we noted in the proof of Corollary |2.2|, where the set 
was called T) , we need only have the above inequality when n > 1. Thus, C = 1/12 + 5^/6 
will do. □ 

With inequality Ql2D in hand, we can proceed to the calculations of section ||. 



4 Proof of the theorem 



Fix a prime power q = p e , and let be a primitive (q — l)-th root of unity in F q . For each 
m dividing q — 1, let Cm be the primitive m-th root of unity Cq-^ 1 ^" 1 - Recall that for every 
pair (to, n) of positive integers with m dividing gcd(n, q — 1) we have sets Y(F q /F q ; ( m , m, n) 
and Y{F q /F q ; ( m ,m,n). For each pair (m,n) with m|n we also define a set 

W(F q ;m,n) = {E/F q : E[n](F q ) = (Z/mZ) x (Z/nZ)}/ = F , . 

Note that VK(F g ;m, n) is empty unless m divides g — 1; see Corollary 8.1.1 (page 98) of p. 
Also, for every positive integer N, we have the set V(F q ;N). Our goal is to estimate the 
weighted cardinality of V(F q ; N). 
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For all the appropriate values of m, n, and N, let v(N) = #'V(F q ; N) and w(m,n) = 
#'W(F g ;m, n) and y(m,n) = #Y(F q /F q ;( m ,m,n) (note that y(m,n) is a non-weighted 
cardinality). Corollary gives us an estimate for y(m,n) for all pairs (m,n) with m 
dividing gcd(n, q — 1). To get from these estimates to an estimate for v(N), we need to 
make explicit the relationships among the sets mentioned above. 

Notation: Let t and u denote the multiplicative arithmetic functions defined on prime 
powers i a by t(£ a ) = £L°/ 2 J anc i M (£ a ) = £r a / 2 b thus, for every positive integer iV we have 
N/t(N) 2 = u(N) 2 /N, and this number is a squarefree integer. Also, given a positive integer 
n and a prime number £, we will denote by nm the largest power of i dividing n. Thus, for 
example, £(24) = 2 and u(2A) = 12 and 24 (2) = 8. 

Lemma 4.1 Let N be any positive integer. Then 

V{F ^^M^ W ( F ^^^)' (14) 

and 

v(N)= Y w(d, — - — — J . (15) 



PROOF: Since (O) follows from (0), it suffices to prove (III]). Also, ( |HD is equivalent to 

N \ 



V(F q ;N)= U w(F g ;rf 

d\u(N) V 



rcd(d,t(JV)), 



(16) 



because the additional sets we get in (|i~6"D are all empty. 

It is easy to see that W(F q ; d, N/ gcd(d, t(N))) C V(F q ;N) for each divisor d of u(JV). 
On the other hand, suppose we are given an elliptic curve E over F q with [E]-p G V(F q ; N). 
It is not hard to show that if d\u(N) then [E] Fq is an element of W(F q ;d, Nj gcd(d,t(N))) 
if and only if d is the largest divisor of u(N) for which #E[d](F q ) = d 2 ; this is easy to check 
when iV is a prime power, and it suffices to check only this case because for all pairs (m, n) 
with m\n we have 

W(F q ;m,n)= f| W(F q ;m (e) ,n (e) ). 
primes I 

Thus, for every element [E] Fq of V(F q ; N) there is a unique divisor d of u(N) with [£?]f, £ 
W / (F (? ;rf,A^/gcd(rf,t(A^))), and we are done. □ 

Lemma 4.2 For every pair (m,n) of positive integers with m dividing gcd(n, q — 1), we 
have 

y(m,n) =mip(n)tjj(n) J2 ~jfll\' ^ 

d:m\d\gcd(n,q-l) V{ n / a ) 
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PROOF: Consider the map from Y(F q /F q ; ( m , m, n) to Ud:m\d\gcd(n,q-i) W(F q ; d, n) that takes 
[E,P,Q\$ to [E]f v - This map is clearly surjective. 

Consider an elliptic curve E over F q with [E]f e ^(F^; d, n) for some d with m\d\ gcd(n, q- 
1). It is not difficult to check that there are exactly m(p(n)ijj(n)/ip(n/d) ways of choosing a 
pair (P,Q) of points of E(F q ) with ordP = m, oidQ = n, and e m (P, (n/m)Q) = ( m . Two 
such pairs (P, Q) and (P', Q') satisfy (E, P, Q) —F q (E, P', Q') if and only if (P' ; Q') lies in the 
Autp 9 (E) -orbit of (P, Q), and the size of this orbit is the index [Autp^-E 1 ) : Autp^P, P, Q)} = 
# Autp q (P)/# Autp 9 (P, P, Q). Summing over the various AutF 9 (P)-orbits of such pairs, we 
obtain 

^ # Aut Fg (P) _ mip(n)ip(n) 
#Aut P ,(£,P,Q) ~ ^(n/d) 

Dividing by # Aut Fq (E) and summing over F g -isomorphism classes of E we obtain 

v 1 = v m<p(ri)il)(n) , 

Ippnl J^n, ,#Aut F (P,P,Q) . „ V(n/rf) ^ l <" a ' >■ 

[E,P,Q] Fq £Y(F q /F q ;( m ,m,n) " r <? V ' ' ~e / d:rrc|d|gcd(n.,g— 1) rv ' 7 

But the sum on the left hand side is 

1 



E E 



[E',P',Q'] ¥ eY(F q /F q ;U,m,n) [E ,P,Q] Fq €E(E> ,P> ,Q>) # Aut F, i E > P ' Q) 



and by Proposition |27| this double sum is the cardinality of Y(F q /F q ; ( m ,m,n). This gives 



us m. □ 



Lemma 4.3 For every pair (m, n) of positive integers with m dividing gcd(n, g — 1), we 
/iai>e 

i/j(n/m) ^ 



w(m,n) 



mip{n)^(n) j1(gcd( ^_ 1)/m) J 

Proof: We calculate: 

w(m,n) . , w(d,n) . - 

i){n/m) ~ , ...^ ^V^M-,^/ 

r \ ' ' a:m|rf|gcd(n,(jr— 1) ~ \ I > j\(d/m) 



J2 —^y{mj,n). (18) 



E Mi) E TTTK = E Mi); ! ' (mJ>) 



j'|gcd(n.,g— l)/m ci:mj |d|gcd(n,g— 1) ^(^/^O j'|(gcd(n,g— l)/m) Tnjip(^n^1p(rij 

where the last equality follows from Multiplying by if)(n/m) we get fll8|). □ 

Now we use the approximation that Corollary |3.4j gives us for y(m, n) to define approx- 
imations for w(m,n) and v(N); namely, for all pairs (m,n) of positive integers with m 
dividing gcd(n, q — 1), we define 

qifj(n/m) ^ qip(n/m) „ / 1\ 

^(WW,1WS-1)W J m^(n)V(n) , Kgcd(ni ,„ 1)/m) V 
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and for all positive integers N we define 

v(N) = 



w id, 

u(N),Q-l) V 



N 



d\gcd(u(N),q- 

We see from Lemma [O] and Corollary |3.4| that 

ip{n/m) 



$cd(d,t(N)) J ' 



\w(m, n) — w(m, n)| < 



E 



rrup{n)ijj{n) i|(gcd( — J 



< C'^{n/m)^q £ |/xO")l < C7V(n/m)2"WV9, 

j|(gcd(n,<j-l)/m) 

where z/(n) denotes the number of prime divisors of n. From this error estimate and from 
Lemma 14.11, we find that 



\v(N)-v(N)\ < Y, C'ij(N/d)2^ N ^ < C'^{N)2^ N) ^Y. l / d 

d\gcd(u(N),q-l) d\N 



< 



WWrWrfll—^rj- = C'Np(N)2^^q. 

i\N 1 l l l 



(19) 



To calculate w(m,n) and v(N), we note that the definition of w(m,n) shows that the 
ratio w(m,n)/q is multiplicative; that is, 

w(m,n) _ -pj- w(m ( i),n(i)) 

q t q 

This equality, together with the definition of v(N), shows that v(N)/q is a multiplicative 
function of N. A straightforward (if tedious) verification shows that for prime powers £ a we 
have 

< 1 

if q ^ 1 mod £ c ; 

(20) 

if q = 1 mod £ c , 



{)(r 



i 

1) 



where 6 = |_ a /2j and c = [a/2]. 

Inequality (0) and equation fl20D show that Theorem [LJ] will be true if we take C to be 
C and r(iV) to be the ratio v(N)/q. □ 
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